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Abstract 

One  protocol  (called  the  primary  protocol)  is  indepen¬ 
dent  of  other  protocols  (jointly  called  the  secondary  proto¬ 
col)  if  the  question  whether  the  primary  protocol  achieves  a 
security  goal  never  depends  on  whether  the  secondary  pro¬ 
tocol  is  in  use. 

In  this  paper,  we  use  multiprotocol  strand  spaces  ([27], 
cf.  [28])  to  prove  that  two  cryptographic  protocols  are  in¬ 
dependent  if  they  use  encryption  in  non-overlapping  ways. 
This  theorem  (Proposition  7.2)  applies  even  if  the  protocols 
share  public  key  certificates  and  secret  key  “tickets’.’ 

We  use  the  method  of  [8,  7]  to  study  penetrator  paths, 
namely  sequences  of  penetrator  actions  connecting  regular 
nodes  (message  transmissions  or  receptions)  in  the  two  pro¬ 
tocols.  Of  special  interest  are  inbound  linking  paths,  which 
lead  from  a  message  transmission  in  the  secondary  proto¬ 
col  to  a  message  reception  in  the  primary  protocol.  We 
show  that  bundles  can  be  modified  to  remove  all  inbound 
linking  paths,  if  encryption  does  not  overlap  in  the  two  pro¬ 
tocols.  The  resulting  bundle  does  not  depend  on  any  activity 
of  the  secondary  protocol.  We  illustrate  this  method  using 
the  Neuman-Stubblebine protocol  as  an  example  [21, 27] . 


1  Introduction 

Whether  a  cryptographic  protocol  achieves  a  security 
goal  depends  on  what  cannot  happen.  To  authenticate  a  reg¬ 
ular  principal  engaging  in  a  protocol  run,  we  must  observe 
a  pattern  of  messages  that  can  only  be  constructed  by  that 
principal  in  that  run,  regardless  of  how  the  penetrator  com¬ 
bines  his  own  actions  with  those  of  principals  engaging  in 
other  runs  [5].  When  several  cryptographic  protocols  are 
combined,  the  penetrator  has  new  opportunities  to  obtain 
the  messages  which  ought  to  authenticate  principals  to  their 
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peers.  Indeed,  because  protocol  mixing  has  shown  itself  to 
be  a  significant  cause  of  protocol  failure,  and  makes  proto¬ 
col  analysis  more  difficult  [2,  6,  12,  19,  27,  29],  it  has  been 
identified  [20]  as  a  key  problem  in  applying  formal  methods 
to  cryptographic  protocols. 

Moreover,  in  practice,  different  protocols  using  cryptog¬ 
raphy  are  usually  combined.  A  key  distribution  protocol 
is  useful  only  if  the  session  key  it  delivers  is  used  for  en¬ 
cryption.  That  later  use  may  involve  constructing  messages 
similar  to  messages  used  in  the  key  distribution  protocol  it¬ 
self.  Does  this  make  replay  attacks  possible?  Does  the  use 
of  a  key  undermine  the  guarantees  provided  by  the  protocol 
distributing  that  key? 

There  are  other  reasons  why  protocol  mixture  is  preva¬ 
lent.  Many  recent  protocols  have  large  numbers  of  different 
options,  and  therefore  have  large  numbers  of  different  sub¬ 
protocols  [18, 9, 4,  19].  Each  of  these  protocols  may  be  easy 
to  analyze  on  its  own.  But  the  same  principal  is  required  to 
be  able  to  engage  in  any  sub-protocol.  Can  the  penetrator 
manipulate  this  willingness  for  his  own  purposes? 

When  protocols  are  mixed  together,  and  we  want  to  ap¬ 
praise  whether  the  security  of  one  is  affected  by  the  others, 
we  will  refer  to  the  protocol  under  study  as  the  primary  pro¬ 
tocol.  We  will  refer  to  the  others  as  secondary  protocols. 

Common  sense  suggests  a  rule  of  thumb  when  protocols 
are  to  be  mixed  together.  This  rule  is  that  if  the  primary  pro¬ 
tocol  uses  a  particular  form  of  encrypted  message  as  a  test  to 
authenticate  a  peer  [7],  then  the  secondary  protocols  should 
not  construct  a  message  of  that  form.  The  sets  of  encrypted 
messages  that  the  different  protocols  handle  should  be  dis¬ 
joint.  One  way  to  arrange  for  this  is  to  give  each  protocol 
some  distinguishing  value,  such  as  a  number;  that  number 
may  then  be  included  as  part  of  each  plaintext  before  enci¬ 
pherment.  Then  no  principal  can  mistake  a  value  as  belong¬ 
ing  to  the  wrong  protocol.  Another  way  to  achieve  disjoint 
encryption  is  to  ensure  that  different  protocols  never  use  the 
same  key,  although  this  may  be  expensive  or  difficult  to  ar¬ 
range. 

Although  the  Abadi-Needham  paper  on  prudent  engi¬ 
neering  practice  for  cryptographic  protocols  [1]  does  not 
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discuss  mixing  different  protocols,  this  rule — to  try  to 
achieve  disjoint  encryption — is  in  the  same  spirit  as  those 
it  proposes. 

In  this  paper  we  will  prove  that,  properly  formalized,  it 
suffices.  If  two  protocols  have  disjoint  encryption,  then  the 
first  protocol  is  independent  of  the  second.  By  this  we  mean 
that  if  the  first  protocol  achieves  a  security  goal  (whether  an 
authentication  goal  or  a  secrecy  goal  [28])  when  the  proto¬ 
col  is  executed  in  isolation,  then  it  still  achieves  the  same 
security  goal  when  executed  in  combination  with  the  sec¬ 
ond  protocol.  One  of  the  advantages  of  our  approach  is  that 
the  result  works  for  all  secrecy  and  authentication  goals; 
in  this  it  continues  a  trend  visible  from  several  recent  pa¬ 
pers  [16,  11,26,  25,  10]. 

Section  2  introduces  some  background,  summarizing  the 
basic  ideas  and  notation  of  strand  spaces  (with  more  detail 
in  Appendix  A  and  [28]).  Section  3  introduces  some  notions 
not  used  in  [28];  multiprotocol  strand  spaces  were  intro¬ 
duced  in  [27],  and  new  components  are  emphasized  in  [7]. 

Section  4  studies  paths  through  bundles,  and  introduces 
two  special  forms  for  bundles,  in  which  the  penetrator 
avoids  roundabout  activities;  additional  detail  and  proofs 
may  be  found  in  [8].  In  the  remainder  of  the  paper  we 
study  bundles  of  these  special  forms  in  multiprotocol  strand 
spaces,  focusing  on  the  relation  between  events  in  the  pri¬ 
mary  protocol  and  events  in  the  secondary  protocol.  Sec¬ 
tion  5  considers  the  private  values  that  the  primary  protocol 
assumes  will  not  be  guessed.  Section  6  defines  our  technical 
notion  of  disjoint  encryption  and  Section  7  proves  the  proto¬ 
col  independence  theorem,  of  which  we  give  an  application 
in  Section  8. 

2  Strand  Spaces 

Terms  A  is  the  set  of  messages  that  can  be  sent  between 
principals.  We  call  elements  of  A  terms.  A  is  freely  gen¬ 
erated  from  two  disjoint  sets,  T  (representing  texts  such  as 
nonces  or  names)  and  K  (representing  keys)  by  means  of 
concatenation  and  encryption.  The  concatenation  of  terms 
g  and  h  is  denoted  g  h,  and  the  encryption  of  h  using  key  K 
is  denoted  (See  Appendix  A.l.) 

A  term  f  is  a  subterm  of  another  term  t',  written  t  \Z  t' , 
if  starting  with  t  we  can  reach  t'  by  repeatedly  concatenat¬ 
ing  with  arbitrary  terms  and  encrypting  with  arbitrary  keys. 
Hence,  K  [Z!  {|f  |}jf ,  except  in  case  K  \zt.  The  subterms  of 
t  are  the  values  that  are  uttered  when  t  is  sent;  in  {|f  |}jf ,  K 
is  not  uttered  but  used.  (See  Definition  A.2.) 

Strand  Spaces,  Origination,  and  Bundles  A  strand  is  a 
sequence  of  message  transmissions  and  receptions,  where 
transmission  of  a  term  t  is  represented  as  -\-t  and  reception 
of  term  t  is  represented  as  —t.  A  strand  element  is  called 


a  node.  If  s  is  a  strand,  (s,  i)  is  the  node  on  s.  The  rela¬ 
tion  n  =>  n'  holds  between  nodes  n  and  n'  if  n  =  (s,  i)  and 
n'  =  {s,i  +  1).  Hence,  n  n'  [respectively,  n  =>*  n'] 
means  that  n  =  {s,i)  and  n'  =  {s,j)  for  some  j  >  i  [re¬ 
spectively,  for  some  j  >  i].  The  relation  n  ^  n'  represents 
inter-strand  communication;  it  means  that  term(ni)  =  +t 
and  node  term(n2)  =  —t. 

A  strand  space  S  is  a  set  of  strands.  The  two  relations 
=>  and  jointly  impose  a  graph  structure  on  the  nodes  of 
E.  The  vertices  of  this  graph  are  the  nodes,  and  the  edges 
are  the  union  of  and 

We  say  that  a  term  t  originates  at  a  node  n  =  (s,  z)  if 
the  sign  of  n  is  positive;  t  C  term(n);  and  t  (z!  term((s,  i')) 
for  every  i'  <  i.  Thus,  n  represents  a  message  transmission 
that  includes  t,  and  it  is  the  first  node  in  s  including  t.  If 
a  value  originates  on  only  one  node  in  the  strand  space,  we 
call  it  uniquely  originating',  uniquely  originating  values  are 
desirable  as  nonces  and  session  keys. 

A  bundle  is  a  causally  well-founded  collection  of  nodes 
and  arrows  of  both  kinds.  In  a  bundle,  when  a  strand  re¬ 
ceives  a  message  to,  there  is  a  unique  node  transmitting  to 
from  which  the  message  was  immediately  received.  By  con¬ 
trast,  when  a  strand  transmits  a  message  to,  many  strands 
(or  none)  may  immediately  receive  m.  Given  any  bundle  C, 
there  is  a  natural  partial  ordering  on  the  nodes  of  C,  which 
we  refer  to  as  <c,  according  to  which  rii  <c  ^2  if  there  is  a 
path  from  rii  to  n2  using  zero  or  more  arrows  of  either  kind. 
This  relation  expresses  the  fact  that  rii  causally  contributes 
to  n2  occurring  in  C.  (See  Definitions  A. 5,  A. 7.) 


Regular  Strands  and  Penetrator  Strands  A  strand  rep¬ 
resents  the  local  view  of  a  participant  in  a  run  of  a  protocol. 
For  a  legitimate  participant,  it  represents  the  messages  that 
participant  would  send  or  receive  as  part  of  one  particular 
run  of  his  side  of  the  protocol.  We  call  a  strand  represent¬ 
ing  a  legitimate  participant  a  regular  strand.  For  the  pen¬ 
etrator,  the  strand  represents  an  atomic  deduction.  More 
complex  actions  can  be  formed  by  connecting  several  pene¬ 
trator  strands.  While  regular  principals  are  represented  only 
by  what  they  say  and  hear,  the  behavior  of  the  penetrator  is 
represented  more  explicitly,  because  the  values  he  deduces 
are  treated  as  if  they  had  been  said  publicly. 

We  partition  penetrator  strands  according  to  the  opera¬ 
tions  they  exemplify.  E-strands  encrypt  when  given  a  key 
and  a  plaintext;  D-strands  decrypt  when  given  a  decryption 
key  and  matching  ciphertext;  C-strands  and  S-strands  con¬ 
catenate  and  separate  terms,  respectively;  K-strands  emit 
keys  from  a  set  of  known  keys;  and  M-strands  emit  known 
atomic  texts  or  guesses.  (See  Definition  A. 9.) 
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3  New  Components  and  Multiprotocol 
Strand  Spaces 

When  a  node  transmits  or  receives  a  concatenated  mes¬ 
sage,  the  penetrator — using  C-strands  and  S-strands — has 
full  power  over  how  the  parts  are  concatenated  together. 
Thus,  the  important  units  for  protocol  correctness  are  what 
we  call  the  components  (Definition  A. 2).  Components  are 
either  atomic  values  or  encryptions.  A  term  to  is  a  compo¬ 
nent  of  t  'lfto  C  t,  to  is  not  a  concatenated  term,  and  every 
ti  ^  to  such  that  to  IZ  h  t  is  a  concatenated  term.  For 
instance,  the  three  components  of  the  concatenated  term 

B{\NaK{\KNi\}K,\}K.Na 

are  B,  {|7V„  K  {\K  \}k,  \}k.  ,  and  . 

A  term  t  is  new  at  n  =  {s,i)  if  f  is  a  component  of 
term(n),  but  t  is  not  a  component  of  node  (s,  j)  for  ev- 
ery  j  <  i  (Definition  A. 2).  A  component  is  new  even  if 
it  has  occurred  earlier  as  a  nested  subterm  of  some  larger 
component  •  •  •  •  f  •  •  •  |}if  •  •  • .  We  say  f  is  a  component 

of  n  if  f  is  a  component  of  term(n).  When  a  component 
occurs  new  on  a  regular  node,  then  the  principal  executing 
that  strand  has  done  some  cryptographic  work  to  produce 
the  new  component.  The  idea  of  emphasizing  components 
and  the  regular  nodes  at  which  they  occur  new  is  due  to 
Song  [24]. 

To  represent  multiple  protocols  [27] ,  we  select  some  reg¬ 
ular  strands  as  being  runs  of  the  primary  protocol;  we  call 
these  strands  primary  strands. 

Definition  3.1  A  multiprotocol  strand  space  is  a  strand 
space  (S,fr)  together  with  a  distinguished  subset  of  the 
regular  strands  Si  C  T,  \'Ps  called  the  set  of  primary 
strands. 

E2  denotes  the  set  of  all  other  regular  strands,  called  sec¬ 
ondary  strands.  A  node  is  primary  or  secondary  if  the  strand 
it  lies  on  is.  From  the  point  of  view  of  a  particular  analy¬ 
sis,  the  secondary  strands  represent  runs  of  other  protocols, 
different  from  the  primary  one  under  analysis. 

Two  bundles  are  equivalent  if  they  have  the  same  pri¬ 
mary  nodes. 

Definition  3.2  Two  bundles  C,C'  iti  the  multiprotocol 
strand  space  (S,  tr,  Si)  are  equivalent  if  and  only  if.  for 
every  node  n  e  Si ,  n  e  C  ijfn  e  C . 

A  set  (f)  of  bundles  is  invariant  under  bundle  equivalences 
if  for  all  equivalent  bundles  C  and  C ,  C  £  f  ^  C  £  f. 

Agreement  and  non-injective  agreement  properties  [15,  28, 
30]  are  invariant  under  bundle  equivalences  in  this  sense. 
For  instance,  a  non-injective  agreement  property,  expressed 
in  our  framework,  asserts  that  whenever  a  bundle  contains 
nodes  of  a  protocol  strand  (for  instance,  a  responder  strand). 


then  it  also  contains  matching  nodes  of  another  strand  (for 
instance,  an  initiator  strand  using  the  same  data  values). 
As  such,  it  always  concerns  what  primary  nodes  must  be 
present  in  bundles.  Penetrator  activity  or  secondary  nodes 
may  or  may  not  be  present. 

Secrecy  properties  may  also  be  expressed  in  a  form 
that  is  invariant  under  bundle  equivalences.  We  say  (tem¬ 
porarily)  that  a  value  t  is  uncompromised  in  C  if  for  ev¬ 
ery  C'  equivalent  to  C,  there  is  no  node  n  £  C  such  that 
term(n)  =  t.  In  this  form,  a  value  is  uncompromised  if  the 
penetrator  cannot  extract  it  in  explicit  form  without  further 
cooperation  of  primary  strands.  When  stated  in  this  form, 
the  assertion  that  a  value  is  uncompromised  is  invariant  un¬ 
der  bundle  equivalences. 

4  Paths,  Normal  Bundles,  Efficient  Bundles 

We  will  now  introduce  the  paths  through  bundles,  and 
examine  some  special  forms  of  bundle,  such  that  every  bun¬ 
dle  is  equivalent  (in  our  sense)  to  a  bundle  in  each  of  these 
special  forms.  [8]  contains  the  proofs  that  we  omit  here. 
The  notation  m  1 — >  n  means: 

•  either  m  ^  n,  or  else 

•  rri  =^“''  n  with  term(m)  negative  and  term(n)  positive. 

A  path  p  through  C  is  any  finite  sequence  of  nodes  and  edges 
rii  I — >  712  I — >  ■  ■  ■  I — >  rik.  We  refer  to  the  ith  node  of  the 
path  p  as  Pi.  The  length  of  p  is  \p\,  and  we  write  ^{p)  to 
mean  p|p| ,  i.e.  the  last  node  in  p. 

Clearly,  pi  <c  ^{p)  whenever  there  is  such  a  path  p  with 
zero  or  more  arrows.  The  converse  is  not  true.  For  instance, 
if  m  and  n  lie  on  the  same  strand  with  m  n  and  m 
is  positive  or  n  is  negative,  then  we  do  not  have  m  1 — >  n. 
Unless  there  happens  to  be  some  other  path  from  m  to  n, 
we  have  m  <c  n  without  any  path  from  m  ton. 

Proposition  4.1  Let  C  be  a  bundle  and  m  <c  n.  Then  there 
is  a  path  p  where  m  =>*  pi  and  £(p)  =^*  n. 

Proof.  If  m  and  n  lie  on  the  same  strand,  then  there  is  the 
path  p  with  |p|  =  1  and  pi  =  m.  So  assume  (inductively) 
that  the  proposition  holds  for  all  n'  -<  n.  Because  m  <  n, 
there  is  a  sequence  of  arrows  — )•  and  from  m  to  n.  If  the 
last  arrow  is  n'  n,  then  (inductively)  there  is  a  path  p' 
with  TO  =^*  p[  and  £(p)  =^*  n',  so  that  £{p)  n. 

Suppose  that  the  last  arrow  is  n'  n.  If  l{p')  is  neg¬ 
ative,  we  may  adjoin  the  two  arrows  l{p')  =1^“''  n'  n. 
Suppose  next  that  l{p')  is  positive.  If  l{p')  =  n',  we 
may  adjoin  the  arrow  n'  n  to  obtain  the  desired  p.  If 
TO  =^*  l{p'),  then  we  may  take  p  =  n'  ^  n.  Otherwise, 
p'  is  of  the  form  •  •  •  n"  =^“''  £{p'),  so  we  may  take 
p  =  •  •  •  ^  n"  =^“''  n'  ^  n.  M 
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Proposition  4.2  Suppose  that  C  is  a  bundle  and  N  is  a  set 
of  nodes.  Let  G  he  the  graph  such  that 

1.  m  £  G  ifm  €  C  and  m  <c  n  for  some  n  €  N ; 

2.  nil  rn2  if  mi, m2  G  G  and  mi  m2  in  C; 

3.  mi  =>  m2  if  mi, m2  G  G  and  mi  =>  m2  in  C. 

Then  G  is  a  bundle,  called  C  \  N.  Moreover,  ifC  n  Ei  C  N, 
C  \  N  is  equivalent  to  C. 

Proof.  Clearly  G  is  finite  and  acyclic,  as  it  is  a  subgraph  of 
C.  Suppose  that  n2  G  G',  we  want  to  show  that  Clause  1  in 
the  definition  of  bundle  holds.  Because  C  is  a  bundle,  there 
is  a  unique  rii  in  C  such  that  rii  n2  in  C',  by  Clause  1 
rii  G  G;  by  Clause  2,  m  n2  in  G. 

Suppose  next  that  n2  G  G  and  rii  =>  n2.  Then  rii  G 
G  by  Clause  1,  because  rii  f-c  ti2.  By  Clause  3,  the 
relation  holds  between  them  in  G  also.  So  Clause  2  in  the 
definition  of  bundle  holds. 

Suppose  that  C  n  Si  C  N.  Since  we  always  have  n  f-c 
n,  C  n  Si  C  G.  Since  every  node  in  G  is  in  C,  we  may  infer 
that  G  n  Si  C  C  n  Si ,  so  that  C  and  C  \  N  have  the  same 
primary  nodes.  ■ 

From  Propositions  4. 1  and  4.2  it  follows  that  if  C  has  no  path 
leading  from  a  secondary  node  to  a  primary  node,  then  the 
secondary  nodes  are  irrelevant,  because  C  |  Si  is  equivalent 
to  C  but  has  no  secondary  nodes.  We  call  such  a  path  an  in¬ 
bound  linking  path.  Conversely,  if  Pi  G  Si  and  l{p)  G  S2, 
then  p  is  an  outbound  linking  path.  We  have  thus  taken  the 
point  of  view  of  the  primary  protocol,  because  the  results  of 
this  paper  are  not  symmetrical  between  the  two  protocols. 

Unless  otherwise  indicated,  we  henceforth  assume  all 
paths  begin  on  a  positive  node,  and  end  on  a  negative  node. 
Given  a  path  p,  one  edge  immediately  precedes  another 
edge  in  p  if  they  are  separated  in  p  by  a  single  edge. 

Definition  4.3  A  path  p  is  a  penetrator  path  ifpi  is  a  pene- 
trator  node  whenever  i  1  or  \p\. 

A  =^'^-edge  on  a  penetrator  strand  is  constructive  if  it 
lies  on  an  E  or  C  .strand.  It  is  destructive  if  it  lies  on  a  D  or 
S  strand. 

Any  other  penetrator  node  lies  on  a  K  or  M  node,  and  is 
called  an  initial  node.  By  analogy  with  Prawitz’s  notion  of 
normal  derivation  [23],  we  define; 

Definition  4.4  A  bundle  C  is  normal  if,  for  any  penetrator 
path  of  C,  every  destructive  edge  precedes  every  construc¬ 
tive  edge. 

In  [8]  we  show  a  result  akin  to  one  in  [3]: 

Proposition  4.5  (Penetrator  Normal  Form  Lemma)  For 

any  bundle  C  there  exists  an  equivalent  normal  bundle  C . 


Figure  1.  Entering  a  D  or  E  strand  through  a 
key  edge 


4.1  Rising  and  Falling  Paths 

Normal  bundles  are  more  predictable  than  bundles  in 
general  because  the  penetrator  never  builds  up  values  just  to 
take  them  apart  again.  In  particular,  certain  penetrator  paths 
in  a  normal  bundle  have  a  natural  relation  to  the  structure  of 
the  terms  that  they  manipulate. 

Definition  4.6  A  penetrator  path  is  falling  if  for  all  adja¬ 
cent  nodes  n  \ — >  n'  on  the  path  term{n')  C  term{n).  It 
is  rising  if  for  all  adjacent  nodes  n  \ — >  n'  on  the  path 
term(n)  C  term{n'). 

A  path  containing  only  destructive  edges  may  not  be  falling, 
since  a  destructive  path  may  traverse  a  decryption  strand 
entering  through  the  key  transmission  edge  (Figure  1).  Call 
the  edge  labeled  in  Figure  1  a  D-key  edge.  The  other 
incoming  edge  into  a  D  strand  is  a  D-cyphertext  edge. 

Paths  entering  an  encryption  strand  through  the  key 
transmission  edge  (Figure  1)  are  symmetrical.  We  refer  to 
a  E-key  edge  and  an  E-plaintext  edge.  In  this  case  we  have 
a  stronger  conclusion,  because  a  constructive  p  can  traverse 
an  E-key  edge  only  once,  along  the  edge  pi  P2,  and  only 
if  term(pi)  G  K.  After  that  we  have  a  compound  term,  not 
an  atomic  key. 

Proposition  4.7  A  destructive  path  that  enters  decryption 
strands  only  through  D-cyphertext  edges  is  falling. 

A  constructive  path  that  enters  encryption  strands  only 
through  E-plaintext  edges  is  rising,  and  this  is  the  case  for 
any  constructive  p  such  that  term{pi )  ^  K. 

By  examining  the  destructive  strands,  and  using  induction, 
we  may  infer: 

Proposition  4.8  Suppose  thatp  is  a  falling  penetrator  path, 
and  term{pi)  =  t  where  t  is  simple.  Then  for  some  j  with 
1  £  i  £  f  C  term(pj)  and  term(pj)  is  a  component  of 
Pi- 
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Destructive  Constructive 


Figure  2.  Internal  Bridge 

4.2  Transformation  Paths 

Definition  4.9  A  transformation  path  is  a  path  for  which 
each  node  pi  is  labelled  by  a  component  Ci  of  pi  in  such  a 
way  that  C,  =  Li+i  unless  pi  =^“''  pi+i  and  Ci+i  is  new 
on  the  strand  of  Pi+i. 

In  the  following  result  [8,  Proposition  3.18],  the  path  p  may 
terminate  on  a  positive  node. 

Proposition  4.10  Suppose  that  S  is  a  strand  space,  and  C 
a  bundle  in  S.  If  m  £  C,  a  \Z  t  and  t  is  a  component  of 
m,  then  there  exists  a  transformation  path  {p,  C)  through  C 
such  that 

1 .  a  originates  on  pi,  while  £(p)  =  m  and  =  t, 

2.  a  C.  jCj  for  all  j  =  1  to  \p\,  and 

3.  p  never  traverses  the  key  node  of  an  E- strand  or  D- 
strand. 

Moreover,  Cj-i  C  Lj  =  term{pj)  if  pj  is  a  positive  E- 
node,  and  Cj  C  C,j-i  =  term{pj_i)  if  pj  is  a  positive 
D-node,  while  Lj  =  Cj-i  if  Pj  is  a  positive  C-node  or  S- 
node. 

4.3  Bridges 

All  destructive  edges  precede  constructive  edges  in  a 
normal  penetrator  path.  The  edge  that  separates  the  destruc¬ 
tive  portion  of  a  path  from  the  constructive  portion  is  of  spe¬ 
cial  interest.  We  call  it  a  bridge. 

Definition  4.11  A  bridge  in  a  bundle  C  is  a  message  trans¬ 
mission  edge  m  ^  n  embedded  in  a  subgraph  of  one  the 
types  shown  in  Figures  3-2. 

If  m  n  is  a  bridge,  then  its  bridge  term  is  term(m), 
which  equals  term[n). 

A  bridge  is  simple  iff  its  bridge  term  is  simple,  that  is,  is 
not  of  the  form  g  h. 

Any  edge  between  regular  nodes  is  an  external  bridge.  The 
source  m  of  a  bridge  m  ^  n  is  never  on  a  constructive 
penetrator  strand,  and  the  target  n  is  never  on  a  destructive 
penetrator  strand. 


Regular  Constructive 
h 


Figure  3.  Entry  Bridge 

Destructive  Regular 


Figure  4.  Exit  Bridge 

Proposition  4.12  Suppose  that  C  is  a  normal  bundle,  and 
p  is  any  penetrator  path  in  C.  Then  p  traverses  exactly  one 
bridge.  Any  destructive  edge  along  p  precedes  the  bridge  of 
p,  and  any  constructive  edge  on  p  follows  the  bridge  ofp. 

Any  bundle  C  can  be  replaced  by  an  equivalent  bundle 
C  in  which  all  bridges  are  simple;  moreover  ifC  is  normal 
so  is  C. 

By  this  proposition,  there  is  a  function  pbt(  )  from  paths  to 
terms  that  is  well-defined  on  every  penetrator  path  in  normal 
bundles.  Given  a  penetrator  path  p,  pbt(p)  is  the  path  bridge 
term  of  p,  which  is  the  bridge  term  of  the  (unique)  bridge 
on  p.  We  may  assume  that  pbt(p)  is  always  simple,  which 
is  to  say  either  an  atomic  value  or  an  encryption. 

A  bundle  with  simple  bridges  is  a  kind  of  worst  case  sce¬ 
nario,  because  the  penetrator  separates  and  re-concatenates 
every  message  between  regular  nodes.  However,  much  of 
Section  7  is  simpler  with  the  assumption  of  simple  bridges. 

Proposition  4.13  Suppose  C  be  a  normal  bundle  with  sim¬ 
ple  bridges.  If  {p,  £)  is  a  transformation  path  in  C  where  p 
is  a  penetrator  path  which  starts  at  a  bridge,  then  there  is 
smallest  index  a  such  that  term(pa)  =  C;  =  C\p\  whenever 
<  *  <  |p|.  Moreover,  if  C  is  not  constant  then  pa  is  the 
positive  node  of  an  E- strand. 

Thus  if  p  starts  at  a  bridge,  there  is  always  an  index  a 
such  that  term{pa)  =  jC,\p\. 

Similarly,  if  (p,  £)  is  a  transformation  path  in  C  where  p 
is  a  penetrator  path  which  ends  at  a  bridge,  then  either  £  is 


Regular  Regular 
h 

o  - )•  o 

Figure  5.  External  Bridge 
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constant  or  there  is  a  smallest  index  (3  such  that  Cp  ^  C.\. 
pp  is  the  positive  node  of  a  D-strand  and  term{pp_i)  = 
Cp-\. 

Thus  if  p  ends  at  a  bridge,  there  is  always  an  index  fi 
such  that  term{pp)  =  Ci. 

Proof.  New  components  of  penetrator  strands  occur  only 
on  D-strands  or  E-strands.  Since  p  is  a  penetrator  path, 
Cip-i  f  Ci  if  and  only  if  p,_|_i  is  the  positive  node  of  an 
E-strand  or  the  positive  node  of  a  D-strand.  If  p,_|_i  is  the 
positive  node  of  a  E-strand,  then  term(p,_|_i )  is  an  encrypted 
term  and  therefore  term(p,_|_i)  has  only  one  component. 
Therefore,  term(p,_|_i)  =  /ij+i.  If  Pi+i  is  the  positive  node 
of  a  D-strand,  then  p,  is  an  encrypted  term  so  that  similarly 
term(pj)  =  Ci. 

Notice  that  if  C  is  constant  and  p,  is  a  bridge  node,  the 
simple  bridges  assumption  implies  term(p,)  consists  of  a 
single  component.  Clearly,  Ci  =  C\p\  =  Ci=  term(p,).  ■ 

4.4  Efficient  Bundles 

Definition  4.14  A  bundle  is  efficient  if  and  only  if,  for  every 
node  m  and  negative  node  n  if  every  component  of  n  is  a 
component  ofm,  then  there  is  no  regular  node  m'  such  that 
m  <  m'  <  n. 

We  call  a  bundle  of  this  kind  efficient  because  the  penetrator 
does  the  most  with  what  he  can  get  from  the  node  m,  rather 
than  making  use  of  additional,  unnecessary  regular  nodes 
such  as  to'.  In  [8]  we  prove: 

Proposition  4.15  Any  bundle  C  is  equivalent  to  an  efficient 
bundle  C .  Moreover,  C'  may  be  chosen  to  be  normal  and  to 
have  simple  bridges. 

Proposition  4.16  Suppose  C  is  a  normal  efficient  bundle 
with  simple  bridges  and  (p,  C)  (p',  C  )  are  transformation 
paths  in  C.  Assume  p  is  a  penetrator  path  which  starts  at  a 
bridge,  p'  is  a  penetrator  path  which  ends  at  a  bridge  and 
there  is  some  regular  node  m  such  that  £{p)  -<  m  -<  p[. 
Then  for  all  i  with  1  <  i  <  |p|  and  j  with  1  <  *  <  |p'|, 
CifCl. 

Proof.  By  considering  the  transformation  path  (p,  C)  re¬ 
stricted  to  the  integer  interval  [1 . . .  z]  and  the  transforma¬ 
tion  path  (p',  C')  restricted  to  the  integer  interval  [j  . . .  |p'|] 
we  may  assume  without  loss  of  generality  that  i  =  |p|  and 

i  =  1- 

By  Proposition  4.13,  there  are  indices  a,  (i  such  that 
term(pct)  =  C\p\  and  ltrm{p'p)  =  C\.  In  particular. 
Pa  -<  m  -<  p'p  and  tsTm{pa),  term(p^)  both  have  single 
components.  Therefore,  by  bundle  efficiency,  tsTm{pa)  f 
In  particular,  C\  f  C\p\.M 


5  Public  Values  and  Full  Spaces 

For  what  values  does  privacy  matter?  Which  values 
should  the  penetrator  be  assumed  not  to  know  initially,  and 
not  to  be  lucky  enough  to  guess? 

By  a  security  goal,  we  mean  a  theorem  about  authenti¬ 
cation  or  secrecy  [28,  Section  8.2].  A  security  goal  is  typi¬ 
cally  a  universally  quantified  implication,  concerning  every 
strand  space  E  of  a  particular  kind,  every  bundle  C  in  E,  and 
every  choice  of  additional  parameters  that  determine  partic¬ 
ular  principals,  keys,  and  data  values.  The  implication  takes 
the  form: 

if  C  contains  primary  nodes  matching  certain  templates, 
and  some  conditions  hold  on  the  parameters, 

then  some  additional  nodes  must  exist  in  C  (in  the  case  of 
an  authentication  goal),  or  must  not  exist  in  C  (in  the 
case  of  an  secrecy  goal). 

The  conditions  on  the  parameters  frequently  stipulate  that  a 
value  should  be  unknown  to  the  penetrator,  or  that  it  should 
be  chosen  unpredictably.  When  a  value  is  subject  to  an  as¬ 
sumption  of  this  kind,  let  us  call  that  value  a  privacy  value 
for  the  security  goal.  We  will  also  call  a  set  of  nodes  that 
instantiate  the  primary  node  templates  in  the  antecedent  for 
a  choice  of  values  for  the  parameters  a  core  node  set  for  the 
security  goal.  The  security  goal  is  “talking  about”  strand 
spaces  and  bundles  including  the  core  node  set,  in  which 
the  conditions  on  the  parameters  hold  true. 

Examination  of  a  variety  of  security  goals  [28,  27,  7] 
for  different  protocols  suggests  that  there  are  two  types  of 
assumptions  about  privacy  values: 

1 .  Assumptions  about  long  term  keys,  which  are  used  for 
encryption  in  a  protocol,  but  never  uttered  as  a  subterm 
of  any  message; 

2.  Assumptions  about  values  originating  uniquely  on 
some  primary  strand  of  the  protocol. 

We  will  call  the  values  involved  long  term  privacy  values 
and  fresh  privacy  values  respectively. 

Suppose  that  we  are  considering  a  particular  security 
goal,  and  have  selected  a  core  node  set.  Many  different 
strand  spaces  will  contain  these  nodes,  for  instance  if  they 
differ  only  in  their  penetrator  strands,  especially  penetrator 
M-strands  and  K-strands,  which  are  the  strands  that  deter¬ 
mine  whether  a  privacy  value  is  given  to  the  penetrator.  So 
long  as  we  do  not  add  strands  that  falsify  a  privacy  assump¬ 
tion  for  some  parameter  used  in  the  given  core  node  set, 
we  may  freely  add  M-strands  and  K-strands  to  a  space  E. 
Adding  strands  that  do  not  falsify  privacy  assumptions  can¬ 
not  convert  a  space  S,  to  which  some  security  goal  applies, 
into  a  space  S'  in  which  the  assumptions  of  that  goal  are  not 
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met.  If  a  privacy  assumption  is  already  false  in  S' ,  then  no 
penetrator  strands  we  add  can  make  a  difference  to  it. 

Moreover,  a  privacy  assumption  is  false  whenever  a  pri¬ 
vacy  value  originates  on  a  secondary  strand  of  E.  Hence, 
adding  an  M-strand  or  K-strand  for  this  value  cannot  falsify 
any  privacy  assumption  that  is  satisfied  in  S.  We  regard  a 
space  S  as  full  when  all  of  these  harmless  M-strands  and 
K-strands  are  present  in  S: 

Definition  5.1  A  strand  space  E  is  full  if  every  atomic 
value  a  €  T  U  K  that  originates  on  any  secondary  strand  in 
S  also  originates  on  some  M-strand  or  K-strand  in  S. 

An  atomic  value  a  €  T  U  K  «  private  in  T,  if  a  never 
originates  on  a  secondary  or  penetrator  strand  in  S.  Oth¬ 
erwise,  it  is  public.  A  concatenated  value  g  h  is  public  if  g 
and  h  are.  An  encrypted  value  is  public  if  h  and  K 

are. 

Observe  that  if  S  is  full,  then  t  is  public  if  and  only  if  there 
is  a  bundle  C  consisting  only  of  penetrator  strands  and  con¬ 
taining  a  node  with  term  t. 

Definition  5.2  A  bundle  C  is  standard  if 

1 .  C  is  normal,  efficient,  and  has  simple  bridges;  and 

2.  If  an  atomic  value  a  €  T  U  K  originates  on  any  sec¬ 
ondary  node  in  C,  then  a  also  originates  on  some  pen¬ 
etrator  node  ria  G  C;  ifterm{m)  =  —a,  then  ria  m. 


Clause  2  is  a  way  of  stating  that  if  some  principal  execut¬ 
ing  a  secondary  protocol  is  lucky  enough  to  guess  the  value 
a,  then  the  penetrator  may  be  that  lucky,  too,  and  we  may 
suppose  that  the  penetrator  supplies  it  to  any  consumer. 

Proposition  5.3  //E  is  a  full  strand  space  and  C  is  a  bundle 
in  E,  then  there  is  a  standard  bundle  C  in  E  such  that  C'  is 
equivalent  to  C. 

Proof.  Clause  1  holds  by  Propositions  4.5,  4.12,  and  4.15. 

To  establish  Clause  2,  observe  that  there  are  finitely 
many  secondary  nodes  in  C.  Only  finitely  many  values 
a  G  T  U  K  may  originate  at  each,  so  the  values  originat¬ 
ing  on  secondary  nodes  form  a  finite  set  S.  Thus,  we  may 
add  finitely  many  M  and  K  strands  to  C,  originating  each 
a  G  S';  these  strands  must  exist  in  E  because  E  is  full.  We 
refer  to  the  new  penetrator  node  originating  a  G  S  as  n® .  If 
n  G  C  is  a  negative  node  with  term(n)  =  a  G  S,  then  there 
is  a  unique  m  such  that  m  ^  n.  We  replace  this  arrow  with 
ria  ti.  Hence  Clause  2  is  satisfied  in  the  resulting  bundle. 


6  Disjoint  Encryption 

The  simplest  way  to  state  the  disjoint  encryption  assump¬ 
tion  would  be  to  require  that  the  two  protocols  not  use  the 
same  ciphertext  as  a  part  of  any  message.  That  would  mean 
that  if  m  G  El  and  n2  G  E2,  and  if  C  term(ni), 

then  if  term(n2). 

However,  this  simple  version  is  unnecessarily  restrictive. 
The  secondary  protocol  would  be  unable  to  accept  public- 
key  certificates  generated  in  the  primary  protocol,  which  is 
intuitively  harmless  because  the  contents  are  public  in  any 
case.  The  secondary  protocol  would  also  be  unable  to  re¬ 
use  symmetric-key  tickets  such  as  those  generated  by  the 
Kerberos  Key  Distribution  Center  [13].  These  are  also  in¬ 
tuitively  harmless,  so  long  as  the  secondary  protocol  does 
not  extract  private  values  from  within  them,  or  repackage 
their  private  contents,  potentially  insecurely.  Hence  we  al¬ 
low  these  harmless  exceptions  to  the  requirement  that  no 
encrypted  term  be  used  by  both  protocols. 

Definition  6.1  (Disjoint  Outbound  Encryption)  E  has 

disjoint  outbound  encryption  if  and  only  if  the  following  al¬ 
ways  holds.  Suppose  given  a  positive  node  rii  G  Ei  and 
a  negative  112  G  E2,  and  private  a  C  such  that 

C  term(ni)  and  C  term{n2). 

Then  there  is  no  positive  such  that  712  =1^“*'  and  a 
occurs  in  a  new  component  o/n^. 

This  definition  has  the  important  property  that  atomic  val¬ 
ues  cannot  “zigzag”  back  and  forth  from  primary  to  sec¬ 
ondary  nodes,  before  being  disclosed  to  the  penetrator. 

Proposition  6.2  (No  Zigzags)  Let  E  have  disjoint  out¬ 
bound  encryption,  and  let  C  be  a  standard  bundle  in  E.  Sup¬ 
pose  {p,  C)  is  a  transformation  path  such  that  term{l{p))  = 
—a  where  a  G  K  U  T,  a  C  £,  for  all  \  <  i  <  \p\,  and 
Pk  &  ’^2-  Thenpj  f  T,iforj  <  k. 

In  particular,  a  is  not  private. 

Proof.  Argue  by  contradiction  and  suppose  that  pj  g  Ei 
with  j  <  k.  If  we  choose  j  to  be  the  greatest  such  value,  and 
assume  k  chosen  to  be  the  least  number  >  j  such  that  pj^  g 
E2,  then  Pj  I — >  ■  ■  ■  I — >  Pit  is  a  penetrator  path.  Since  C 
is  standard,  pj  1 — >  ■  ■  ■  1 — >  pj^  has  a  simple  bridge  pp  — > 
Pp+i,  so  a  C  term(p^)  =  Cp.  Since  a  =  term(f(p)),  by 
efficiency,  a  f  term(p^).  Thus,  a  C  e  =  term(p^),  where 
e  is  an  encrypted  unit  {|/i|}jf. 

Let  7  >  fc  be  the  smallest  index  such  that  f  f-y+i- 
The  node  p-^  cannot  be  a  penetrator  node,  because  then 
=  term(p.y)  =  Pk-i,  which  contradicts  Proposi¬ 
tion  4. 1 6.  If  L.y  g  El ,  then  there  is  a  penetrator  path  leading 
to  it,  again  violating  Proposition  4.16.  Therefore,  g  E2. 

Since  p-y+i  has  a  new  component  with  subterm  a, 
by  outbound  disjoint  encryption,  a  is  not  private.  By  the 
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definition  of  standard  bundle  (Definition  5.2,  Clause  2),  C 
contains  an  M-  or  K-node  n®  such  that  a  =  term(na),  and 
tia  ^{p),  contradicting  our  choice  of  p. 

To  infer  that  a  is  not  private,  use  Proposition  4.10  to  ob¬ 
tain  a  transformation  path  {p,  C)  such  that  a  originates  at 
Pi ,  and  apply  the  preceding.  ■ 

For  inbound  linking  paths,  we  must  also  choose  the  excep¬ 
tions  to  naive  disjoint  encryption.  We  stipulate  that  en¬ 
crypted  units  may  be  exceptions  if  they  are  not  in¬ 

cluded  in  a  new  components  of  a  secondary  node,  but  are 
emitted  only  in  the  same  form  in  which  they  were  received 
by  the  secondary  protocol  previously.  When  a  positive  sec¬ 
ondary  node  emits  an  exception,  the  component  must  have 
been  received  previously  on  the  same  strand,  and  not  newly 
manufactured  and  potentially  useful  to  the  penetrator. 

Definition  6.3  (Disjoint  Encryption)  S  has  disjoint  in¬ 
bound  encryption  if,  for  all  negative  rii  €  Si  and  positive 
712  G  S2,  and  for  all  (/ C  term{ni  )  and 

C  term{n2),  then  to,  for  any  new  compo¬ 

nent  to  of  712- 

S  has  disjoint  encryption  if  it  has  both  disjoint  inbound 
encryption  and  disjoint  outbound  encryption. 

7  The  Protocol  Independence  Theorem 

Definition  7.1  Ei  is  independent  of  T,2  if  for  every  bundle 
in  S,  there  is  a  bundle  C  in  S  that  is  equivalent  to  C  such 
that  C'  is  disjoint  from  S2 . 

Proposition  7.2  (Protocol  Independence)  //S  is  full,  and 
has  disjoint  encryption,  then  Si  is  independent  0/S2. 

Proof.  By  Proposition  5.3,  we  may  assume  that  C  is  stan¬ 
dard.  We  want  to  show  that  there  are  no  inbound  linking 
paths  in  C. 

Let  p  be  an  inbound  linking  path.  Suppose  first  that  p 
traverses  an  atomic  value  a  €  T  U  K.  This  may  either  be 
the  key  edge  into  a  D  or  E  strand,  or  it  may  be  the  bridge  of 
p.  In  any  case,  let  a  be  the  first  atomic  value  on  p.  If  a  is 
public,  then  because  C  is  standard  (Definition  5.2),  Clause  2 
contradicts  the  assumption  that  p  is  an  inbound  linking  path. 
Therefore  a  would  have  to  be  private,  but  that  contradicts 
Proposition  6.2. 

Suppose  next  that  p  never  traverses  an  atomic  value. 
Then  in  particular  it  never  traverses  a  key  edge  into  a  D 
or  E  strand.  Thus,  the  path  bridge  term  pbt(p)  C  term(pi) 
and  pbt(p)  C  term(f(p)).  Since  pbt(p)  is  not  atomic  but 
it  is  simple,  it  is  of  the  form  Therefore,  by  disjoint 

inbound  encryption,  it  does  not  occur  in  a  new  component 
of  Pi .  If  a  C  f  where  f  is  a  component  of  pi ,  then  there  is 
TO  =^“''  Pi  such  that  f  is  a  component  of  m.  Since  (Propo¬ 
sition  4.8)  there  is  a  node  p,  such  that  term(p,)  =  t,  the 
relations  to  -<  pi  -<  pi  contradict  efficiency. 


Therefore  there  is  no  inbound  linking  path  p  in  any  stan¬ 
dard  bundle  C.  It  follows  that  there  are  no  rii  €  C  fl  Si 
and  712  G  C  n  S2  such  that  712  tii,  because  by  Propo¬ 
sition  4.1,  there  would  be  a  path  with  712  =1^*  pi  and 
£(p)  =^*  m,  and  p  would  be  an  inbound  linking  path. 
Hence,  we  may  apply  Proposition  4.2,  letting  iV  =  Si.  ■ 

An  easy  consequence  of  this  theorem  show  that  if  the  pri¬ 
mary  and  secondary  protocols  share  no  keys  whatever,  then 
we  have  independence. 

Corollary  7.3  Let  S  be  full.  For  i  =  1  and  2,  let  ^  be 
the  set  of  K  such  that  K  C  term(n)  for  any  71  &  'Ei  or 
{|/i|}r:  C  term{7i)  for  any  h  and  any  n  €  S,. 

If^i  n  .^2  =0,  then  El  is  independent  of  E2. 

In  realistic  situations,  if  Si  and  S2  involve  the  activity  of 
different  principals,  and  the  keys  for  the  protocols  are  cho¬ 
sen  in  an  unpredictable  way  from  a  large  set,  then  the  keys 
they  use  will  never  overlap.  Therefore,  Si  is  independent  of 
E2 .  The  same  holds  when  the  same  principals  may  partici¬ 
pate  in  both  protocols,  but  they  choose  keys  independently 
for  each  protocol. 

8  An  Application  of  Protocol  Independence 

The  familiar  Neuman-Stubblebine  protocol  [21]  will  il¬ 
lustrate  the  usefulness  of  the  Protocol  Independence  The¬ 
orem.  It  contains  two  sub-protocols.  We  will  call  the 
first  sub-protocol  the  authentication  protocol  and  the  sec¬ 
ond  sub-protocol  the  re-authentication  protocol.  In  the  au¬ 
thentication  sub-protocol,  a  key  distribution  center  gener¬ 
ates  a  session  key  for  an  initiator  (a  network  client)  and  a  re¬ 
sponder  (a  network  server);  the  message  exchange  is  shown 
in  Figure  6.  This  session  key  is  embedded  in  a  re-usable 
ticket  of  the  form  ^AKT^Kbs-  ^^e  re-authentication 
sub-protocol,  the  key  distribution  center  no  longer  needs  to 
be  involved;  the  initiator  presents  the  same  ticket  again  to 
the  responder,  as  shown  in  Figure  7  on  the  left.  We  have 
added  a  fictitious  message  B  j\AK  T^Kbs’  which  is  sent 
by  a  strand  of  the  authentication  protocol  and  received  by 
a  strand  of  the  re-authentication  protocol.  It  represents  a 
portion  of  the  client’s  state  in  the  implementation.  Clearly, 
representing  this  internal  state  as  a  visible  message  could 
only  add  vulnerabilities  not  conceal  them. 

We  regard  the  re-authentication  protocol  as  the  sec¬ 
ondary  protocol;  the  presence  of  the  re-authentication  pro¬ 
tocol  should  not  undermine  any  security  guarantee  offered 
by  the  primary  protocol.  However,  terms  of  the  form 
{|7V|}jf  are  constructed  as  new  components  on  secondary 
strands,  and  accepted  on  primary  strands.  Hence  the  corre¬ 
sponding  multiprotocol  strand  space  does  not  have  disjoint 
inbound  encryption.  Indeed,  the  penetrator  can  use  a  ses¬ 
sion  of  the  re -authentication  protocol  to  complete  a  respon¬ 
der  strand  in  a  bundle  with  no  initiator  [27]. 


A  S  B 


Ml 


Mi=ANa 

M2  =  B  {|AiVa  UDkes 


For  this  reason,  we  amend  the  re-authentication  proto¬ 
col  to  the  form  shown  on  the  right  of  Figure  7  [27].  To 
apply  our  independence  theorem,  we  check  that  the  corre¬ 
sponding  strand  space  E  has  disjoint  encryption.  But  that 
is  trivial,  because  tickets  ^AK T^Kbs  ^^e  only  com¬ 
mon  encrypted  subterms  of  primary  and  secondary  nodes. 
The  outbound  property  holds  because  no  private  subterm  of 
a  ticket  is  uttered  in  a  new  component  of  a  secondary  node. 
The  inbound  property  holds  because  no  new  component  of 
a  secondary  node  contains  a  ticket. 

Therefore,  if  S  is  a  full  strand  space  and  C  is  a  coun¬ 
terexample  to  some  security  property,  we  may  deform  C 
into  an  equivalent  standard  bundle  C',  in  which  there  are 
no  secondary  nodes.  C  is  still  a  counterexample,  assuming 
that  the  security  property  is  invariant  under  bundle  equiva¬ 
lences,  as  authentication  and  secrecy  properties  are.  Thus, 
if  the  primary  protocol  fails  to  meet  the  security  goal,  that 
is  independent  of  the  presence  of  the  secondary  protocol: 
the  corrected  Neuman-Stubblebine  re-authentication  proto¬ 
col  is  entirely  guiltless  in  this  affair. 


Mg  =  {\B  Na  K  U  Wk^s  UKtb  Nh 
Mi  =  {\AKh\}KBs{\Nb\}K 

M5=B{\AKU\}kbs 

Figure  6.  Neuman-Stubblebine  Part  I  (Authen¬ 
tication) 


^  BUKnKBs  BUKnKBs 

I  KUKTWkbs  ^  I  K{\AKT\}kbs  .  ^ 
KmaWK  I  I  ma^K 

I  {|iv^|}K  ,  I  I _ UKWk  ,  1 


Figure  7.  Neuman-Stubblebine  Part  II,  original 
and  modified 
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A  Strands,  Bundles,  and  the  Penetrator 
A.l  Terms 

Assume  given  a  set  T  of  atomic  texts  and  a  set  K  of  cryp¬ 
tographic  keys  disjoint  from  T.  K  is  equipped  with  a  unary 
inverse  operator  inv  :  K  K. 

Definition  A.l  A  is  the  algebra  freely  generated  from  T 
and  K  by  the  two  binary  operators  encr  :  K  x  A  A 
and iova  :  A  x  A  ^  A. 

We  write  invjfT)  as  K~^,  encr{K,m)  as  and 

join(a,  b)  as  a  6.  If  .S  is  a  set  of  keys,  denotes  the  set  of 

inverses  of  elements  of  Our  assumption  that  A  is  freely 
generated  (see  also  [14, 17,  22])  stretches  hack  to  Dolev  and 
Yao  [5].  Freeness  is  crucial  for  the  results  in  this  paper. 

Definition  A.2  The  subterm  relation  C  is  defined  induc¬ 
tively,  as  the  smallest  relation  such  that  a  a;  a 
ifac.  g;  and  a  g  h  if  a  g  or  a  h. 

If  ^  C.  K,  then  to  Cj?  t  if  t  is  in  the  smallest  .set  con¬ 
taining  to  and  closed  under  encryption  with  K  £  ^  and 
concatenation  with  all  terms  ti . 

The  encryption-free  terms  form  the  smallest  set  S  includ¬ 
ing  T  and  K  and  closed  under  concatenation.  A  term  t  is 
simple  if  it  is  not  of  the  form  g  h.  to  is  a  component  oft  if 
to  is  simple  and  to  t. 
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By  this  definition,  for  €  K,  we  have  K  C  only  if 

K  \Z  g  already. 

A.2  Strand  Spaces 

In  a  protocol,  principals  can  either  send  or  receive  terms. 
We  represent  transmission  of  a  term  as  the  occurrence  of 
that  term  with  positive  sign,  and  reception  of  a  term  as  its 
occurrence  with  negative  sign. 

Definition  A.3  A  signed  term  is  a  pair  {a,  a)  with  a  £  A 
and  a  one  of  the  symbols  .  We  will  write  a  signed 
term  as  +t  or  —t.  (±A)*  is  the  set  of  finite  sequences  of 
signed  terms.  We  will  denote  a  typical  element  of  (±A)*  by 
((cri,ai),  ...  ,  {a„,a„)). 

A  strand  space  over  A  is  a  set  S  together  with  a  trace 
mapping  tr  :  T,  ^  (±A)*. 

We  will  usually  represent  a  strand  space  by  its  underlying 
set  of  strands  E.  We  often  ignore  the  distinction  between 
signed  terms  and  ordinary  unsigned  terms. 

Definition  A.4  Fix  a  strand  space  S. 

1.  A  node  is  a  pair  {s,i),  with  s  €  E  and  i  an  integer 
satisying  1  <  i  <  length(tr(s)).  The  set  of  nodes  is 
denoted  by  A”.  If  n  =  {s,i)  £  A”  then  index(n)  = 
i  and  strand(n)  =  s.  Define  term(n)  to  be  (tr(s))^, 

i.e.  the  ith  signed  term  in  the  trace  of  s. 

2.  There  is  an  edge  rii  n2  iff  term(ni)  =  +t  and 
term(n2)  =  —t  for  some  t  £  A.  When  rii  =  {s,  i)  and 
n2  =  (s,  i  +  1),  there  is  an  edge  rii  =>  n2.  We  write 
n'  n  when  m  =  {s,i)  and  n2  =  {s,j)  for  some 
j  >  i. 

3.  An  unsigned  term  to  originates  on  n  £  J\f  iff 
term(n)  =  +f,  to  C  t,  and  whenever  n'  =^“''  n, 
to  \t-  term(n'). 

4.  An  unsigned  term  t  is  uniquely  originating  iff  t  origi¬ 
nates  on  a  unique  n  £  M. 

5.  A  component  ti  of  term(ni)  is  new  at  rii  if,  for  every 
node  no  such  that  no  =^“''  rii ,  ti  is  not  a  component  of 
term(no). 

A.3  Bundles  and  Causal  Precedence 

A  bundle  is  a  finite  subgraph  of  (A”,  (^-  U  =^)),  for 
which  we  can  regard  the  edges  as  expressing  the  causal  de¬ 
pendencies  of  the  nodes. 

Definition  A.5  Suppose  C  suppose  =>c  C  =>;and 
suppose  C  =  (Ac,  (^c  U  =^c))  A  a  subgraph  of  {M,  (^■ 
U  =>))■  C  is  a  bundle  if  fife  and  -^c  U  =>c  are  finite,  and: 


1.  If  n2  £  fife  and  term{n2)  is  negative,  then  there  is  a 
unique  rii  such  that  rii  -^c  ti2- 

2.  Ifn2  £  fife  and  rii  =>  n2  then  rii  =>e  n2. 

3.  C  is  acyclic. 

When  a  strand  receives  a  message  t,  there  is  a  unique  node 
transmitting  t  from  which  the  message  was  immediately  re¬ 
ceived.  By  contrast,  when  a  strand  transmits  a  message  t, 
many  strands  may  immediately  receive  t. 

Notational  Convention  A.6  IfC  =  {fifc,^c  U  =^c)  A  a 
bundle,  then  n  £  C  means  n  £  fife,  s  £  C  means  all  of  the 
nodes  of  s  are  in  fife . 

Definition  A.7  IfS  is  a  set  of  edges,  i.e.  S  C—t  U  =>,  then 
-<s  A  the  transitive  closure  of  S,  and  <s  A  the  reflexive, 
transitive  closure  of  S. 

The  relations  -<5  and  <s  are  each  subsets  of  fifs  x  fifg, 
where  fifs  is  the  set  of  nodes  incident  with  any  edge  in  S. 

Proposition  A.8  Suppose  C  is  a  bundle.  Then  <e  A  a  par¬ 
tial  order,  i.e.  a  reflexive,  antisymmetric,  transitive  relation. 
Every  non-empty  subset  of  the  nodes  in  C  has  <c-ttiinimal 
members. 

We  regard  <c  as  expressing  causal  precedence,  because 
n  -<s  Ti'  holds  only  when  n’s  occurrence  causally  con¬ 
tributes  to  the  occurrence  of  n' .  When  a  bundle  C  is  under¬ 
stood,  we  will  simply  write  Similarly,  “minimal”  will 
mean  ^c-minimal. 

A.4  Penetrator  Strands 

The  actions  available  to  the  penetrator  are  relative  to  the 
set  of  keys  that  the  penetrator  knows  initially.  We  encode 
this  as  the  set  of  penetrator  keys  Kp. 

Definition  A.9  A  penetrator  trace  relative  to  K-p  is  one  of 
the  following: 

Mj  Text  message:  {-£!)  where  t  £7. 

Kk  Key:  {-\-K)  where  A  e  Kp. 

Cg^h  Concatenation:  {—g,  —h,  -\-gh) 

Sg^h  Separation:  {—g  h,  -\-g,  -\-h) 

Eh,K  Encryption:  {-K,  -h, 

Dh,K  Decryption:  (-A^\  -Wk,  +h). 

Vj:  is  the  set  of  all  strands  s  €  E  such  that  tr(s)  is  a  pene¬ 
trator  trace. 

A  strand  s  £  T,  is  a  penetrator  strand  if  it  belongs  to  Vj:, 
and  a  node  is  a  penetrator  node  if  the  strand  it  lies  on  is  a 
penetrator  strand.  Otherwise  it  is  a  regular  strand  or  node. 
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We  assume  that  all  strand  spaces  have  an  adequate  supply  of 
C,  S,  E,  and  D  strands;  by  contrast,  M  and  K  strands  vary, 
thus  modeling  the  set  of  values  the  penetrator  may  know  or 
be  able  to  guess. 
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